I'm trying to do a get request via javascript/jquery to attain all of my workspace IDs in asana. I know when I just put the URL in the browser, asana returns all of my workspace IDs. However, when I do a GET request of the same URL, I'm getting a 401 error (Not Authorized).
How do i fix this? I know after I do a login through OAuth I am provided a token, am I supposed to do something with that?
$.get("https://app.asana.com/api/1.0/workspaces", function(data){
alert("Data: " + data);
});
Also, please do not tell me to do it on the server side instead. I'm doing a simple web application and I'm doing it with javascript/jquery. That is not an answer. Thank you.
You need to authenticate your request, either using OAuth or the API Key. If you're developing an application for others to use, and you want them to be able to access their Asana data, you probably want to use OAuth - if it's just for a script you run for yourself, your API Key should be fine.
Generally speaking, OAuth has enough nuances that if you're using it (and not intimately familiar with it), we'd recommend using a library of some kind. If you're using jQuery, perhaps https://gist.github.com/andyedinborough/1012960 would help? (Caveat: I haven't tried it myself)
The short version of OAuth is that you need to get a token, which you can then pass to the API in the form of an HTTP header of the form Authorization: Bearer $TOKEN. It sounds like you already have a token, so you just need to add the header and it should work. And yet, GET is the correct verb to use here.
Related
I have a URL that will accept POSTed data and store a record of it — this is for analytics. I need to secure that against anyone in the world from POSTing to it, but what possible authentication mechanism can I use that it is safe to expose the details of? I don't think the javascript can access any secret data without making it public.
I could base it off any HTTP header, but these can all be spoofed, right?
If it helps, both client and server are https.
Edit: I think I need to state the problem more explicitly; sorry, I thought I could explain it concisely, but it's clearly not coming across! Imagine the following:
A static page at https://example.com/index.html includes a script, https://example.com/script.js.
The script makes a request to another remote URL, e.g.
ajax_call('https://stats.example.com/stats.php', 'some data');
The stats.php script simply writes 'some data' to a file
Now, the flaw is that anyone can simply POST anything to stats.php and it will write to the file. I want to restrict that to just my 'client', i.e. https://example.com/index.html.
If I could, I would do something like this in stats.php:
if ($_SERVER["HTTP_REFERER"] == 'https://example.com') {
do_stuff();
} else {
die('not allowed');
}
but I've always been under the impression that HTTP_REFERER (and other similar headers) could just be spoofed, so that woud be pointless.
I need to secure that against anyone in the world from POSTing to it, but what possible authentication mechanism can I use that it is safe to expose the details of?
If the endpoint needs to be accessed by the browser of everybody who visits a public website, then you can't.
The browser is completely under the user's control. They can inspect everything the browser does. They can then recreate that using some other HTTP client.
If you trust the browser enough to let it make the request to your analytics API then you must trust the owner of the browser too. It is impossible to separate them.
The best you can do is analyse the data sent to the analytics API for usual or impossible patterns of behaviour.
You Can USE CORS and so enable your BackEnd to receive ONLY REQUEST from a specific HOST/DOMAIN
There seems to be so many choices and I don't have time to read into depth about all of them.
I started using
$.ajax({...})
but now that I use React this is the only place in my app that I use jQuery. I'm basically sending the whole library to the client for this one call.
I then thought about using
window.fetch
However this was not workable because passport does not authenticate this request. I liked it because it was native JavaScript. I don't understand why it is not authenticated by passport code running on my server like the jQuery ajax call was.
I also looked at this library briefly as another way.
github - request
Looks like it might be overkill to make an authenticated ajax request.
Could I just user a native ajax request. Would this be authenticated?
This would be a 4th way - Native Ajax Request - MDN
I normally adopt for native / minimalist solutions even if it means having to write a bit more code.
Passport needs to confirm the session by using cookies but Fetch API doesn't send cookies by default, I think you should add the credentials flag to your request like this:
const options = {
credentials: 'include'
};
fetch(url, options).then(...);
read more about it here: MDN
I am creating a browser extension which posts to salesforce chatter using rest api.Once I get the access_token from OAuth user agent flow,I can not make call to rest services from javascript,due tobrowser same origin policy.I do not want to use a server as proxy,since I want to make the extension purely client side.
I tried JSONP workaround,but it only works for GET,I need POST to post a feed to salesforce chatter
is there a possible way.Please suggest some work around
Maybe consider passing your call to a custom rest service in salesforce. Setup a global class with the #RestResource annotation, and then within that an doPost method to handle what you're passing, in your case to make the post.
You'll still need the Oauth step to retrieve token that is then passed in with the rest request via the Authorization : Bearer header message.
See a good post on this here https://wiki.developerforce.com/page/Creating_REST_APIs_using_Apex_REST
Since Salesforce '15 you are able to configure CORS. Therefor whitelist your app domain and you can do whatever you want. Does not solve the problem to obtain an access_token. The only approach to obtain an access_token purely by javascript is to use the User-Agent Flow since the access Token is passed as URL Part....
One option is to use site like http://www.ajax-cross-domain.com/
Here is good reference on this matter http://www.d-mueller.de/blog/cross-domain-ajax-guide/
Use jsforce, you will need a proxy due to the CORS problem, sorry.
i've got a little problem with AJAX, CouchDB and JavaScript.
I can open the following URL from CouchDB in my browser: http://192.168.1.58:5984/mydb/name
new Ajax.Request('http://192.168.1.58:5984/mydb/namee', {
method: 'POST',
onComplete: function(transport) {
alert(transport.responseText);
}
});
I always get empty alert.
Can you help me?
The problem here is, that your browser doesn't allow you to make a query on an other web server than the one where you're script originates. (Google for: Same Origin Policy)
But there is a kind of a common technique which is a workaround for this use case. It's called JSONP. Since version 1.0 you have to activate this functionality first in CouchDB. In the section [httpd] of your CouchDB configuration file (.ini) you have to add an
allow_jsonp = true
After this is done you can produce JSONP queries on your CouchDB. Basically adding dynamically lines like this:
<script type="text/javascript"
src="http://server2.example.com/getjson?callback=parseResponse">
</script>
But for details refer to the article linked above.
Anyway I propose on the JavaScript side of things to use a Framework as jQuery, DojoToolKit, ect. In jQuery e.g. it is enough to add "?callback=?" at the end of the URL.
AJAX doesn't support cross domain scripting. all calls need to be to a URL with the same domain as the one of the current document.
a good solution would be to build a proxy service on the server side, that will take the local
request, make an HTTP call to the couchDB server, and return it's response.
I'm trying to make an HTTP Get request using JQuery, but I get an empty string as a response, so I figure I'm doing something wrong. I used the documentation from http://api.jquery.com/jQuery.get/ as a guide.
My code looks like this
$.get("http://www.last.fm/api/auth/?api_key=xxxkeyxxx", function(data){
window.console.log(data);
});
Edit: My code now looks like this
$.getJSON("http://www.last.fm/api/auth/?api_key=c99ddddddd69ace&format=json&callback=?",
function(data){
window.console.log(data);
});
But I'm getting a
syntax error
[Break on this error] \n
And it's located in http://www.last.fm/api/auth/?api_key=c99ddddddd69ace&format=json&callback=?
Latest edit: It seems this is because last.fm is responding with html not JSON, any ideas would be appreciated
Unless your script is being served from www.last.fm, then you will not be able to do this, due to the Same Origin Policy restrictions imposed by browsers.
You should investigate proxying the request through your server.
last.fm will respond with login page... check the docs ...
If the user is not logged in to
Last.fm, they will be redirected to
the login page before being asked to
grant your web application permission
to use their account. On this page
they will see the name of your
application, along with the
application description and logo as
supplied in Section 1.
copied from
http://www.last.fm/api/webauth
pkaeding is partially correct - you wont be able to do this in the way you are attempting, but last.fm does offer a RESTful API with json.
Last.fm API - http://www.last.fm/api/rest
jQuery API - http://api.jquery.com
you need to use jsonp method iin getting data cross domain here is an example and thread of someone doing so